Chamilo LMS Stored Cross-Site Scripting Vulnerability in Message Compose Feature

A stored cross-site scripting vulnerability has been identified in Chamilo LMS version 1.11.28. This issue arises in the message compose feature, where attackers can inject malicious scripts into messages. These scripts are executed when the victim, such as an administrator, replies to the message. The vulnerability is rooted in improper sanitization of user inputs, allowing arbitrary HTML and JavaScript to be embedded and executed in the context of the user.

Impact

Exploitation of this vulnerability allows for the theft of session cookies, enabling account hijacking. Attackers could escalate privileges or compromise sensitive accounts, such as administrators. Additionally, the persistent nature of the attack means that all future interactions with the message could be compromised.

Reproduction

To reproduce this vulnerability, create two accounts: one for the attacker and one for the victim (e.g., an admin). Log in as the attacker and navigate to the message compose feature. Select a victim account to send the message to. In the 'Alternative Text' field for images, inject a script payload, such as an image tag with an 'onerror' event. After sending the message, log in as the victim and reply to the message. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to the latest version of Chamilo LMS, where this vulnerability has been fixed. Instructions for updating can be found in the Chamilo LMS documentation.